server {
    listen 8443 ssl;

    server_name .example.org;

    ssl_certificate      tls.d/example.org.chain.crt;
    ssl_certificate_key  tls.d/example.org.pem;

    root static.d/example.org;
}

server {
    listen 8443 ssl;

    server_name www.example.org;

    ssl_certificate      tls.d/www.example.org.chain.crt;
    ssl_certificate_key  tls.d/www.example.org.pem;

    root static.d/www.example.org;
}

## optional: cut-off server
server {
    listen 8443 ssl default_server bind deferred;

    server_name _;

    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

    ## reject connections early
    ssl_reject_handshake on;
}